Posted
by
timothy
on Monday August 01, 2011 @05:57PM
from the goodnight-snookums-wookums dept.

jbrodkin writes "A new Android Trojan is capable of recording phone conversations, according to a CA security researcher. While a previous Trojan found by CA logged the details of incoming and outgoing phone calls and the call duration, new malware identified this week records the actual phone conversations in AMR format and stores the recordings on the device's SD card. The malware also 'drops a 'configuration' file that contains key information about the remote server and the parameters,' CA security researcher Dinesh Venkatesan writes, perhaps suggesting that the recorded calls can be uploaded to a server maintained by an attacker. Installation of the Trojan requires some user interaction, but the malware recreates the look and feel of the standard Android application installation process, and may fool some unsuspecting users."

So I have to rootkit my own phone in order to record anything but this trojan can just record everything on its own? What a scam! I'm glad it takes a virus writer to extract what I consider to be a basic functionality out of my phone.

I was under the impression that there were no public APIs for getting at the audio data from the call in progress,specifically to keep people from making apps that could record calls due to legality issues (wiretapping, etc, depending on your location and jurisdiction).

The "recorder" programs that are out there recording directly from the mic, and are usually not able to pick up the output from the speaker (and if they do, it's usually very faint). iPhones / iOS lack the capability for the same reasons.

I think a lot of people would find it very useful, for a number of various reasons, to have the ability to have their calls automatically recorded, with metadata of who, when, etc, stored in.WAV or other easily playable format, and automatically synced with their PC.

I was very disappointed to find that I could not record calls on my android phone the way I could on my windows mobile phone, but I ended up switching to VOIP rather than use voice minutes, and CSipSimple is a great free (GPL) VOIP app that I ended up settling on. Once I went through the config I found that it has the option to record calls, and now I have a feature I wanted badly along with VOIP.

There are many ROMs that support proper "official" call recording ripped from the OEM Samsung Korean ROMs (which have it enabled by default IIRC). I've used it and it works perfectly, no mic-record nonsense involved. AFAIK it only works on Froyo so far.

Or you can just use MIUI, which everyone should be doing anyway. It kicks ass and supports call recording. No virus needed.

The issue would seem to be a legal one. It is illegal in many US states to record a phone call unless both parties agree to it before hand. My understanding is that Google locked down the API for call recording as a result. They are still there however, but they dont work on all phones.

This raises another point, did they test this "torjan" outside of the dev (emulated) environment? Because there are a number of call recording apps out there, but they simply wont work on a lot of Android builds because the

You need a patched kernel to get access to the API'sA few of the custom ROM's are now using this patch in their kernels as standard (CM7 for one). There's a specific CallRecorder app that's designed to use that patch and API's with some ROM's and it works great!

Actually most states are one party consent when it comes to recording phone calls/conversations. Only 11 states require all parties to consent to the recording. In any case the manufacture cannot be held legally responsible for the actions of the end user.

As his notes and the related XDA forum say, you need to also patch, if your ROM doesn't already include support for it.(When I switched from one ROM to another recently, it stopped recording, even though the su log showed call recorder still starting and stopping with each call. This is why.)

"it's also currently ranked number *eight* by users for Android bugs" This is interesting since this is missing functionality not a bug. Android phones do not advertise or provide this as default functionality. Maybe you used "bug" by mistake but if not there are significant differences in how bug reports and new functionality requests are prioritized and released with "bugs" usually getting the priority depending on the severity. If you are adding new functionality you might, I say might, be depending on t

This is an application that records phone calls. It tells you it will do this when you install it and it will require you opt to install it from an untrusted site after configuring your phone to allow such an action.

But then I guess "phone call recording app records phone calls" is less of an alarmist title.

(It can upload the recordings ) to a malicious user. Read the fucking summary.

I just did. It says perhaps suggesting. There is no actual indication that it can even do so; that behavior was not observed on the two emulators they ran the software on and it doesn't look like they even tried to reverse engineer it.

Here's the link to the actual article by the CA researcher: http://community.ca.com/blogs/securityadvisor/archive/2011/08/01/a-trojan-spying-on-your-conversations.aspxSome items to note:

1. Nowhere does he provide reasoning or justification for why this software is being consid

We need a name for apps that do things that the OS maker doesn't want apps to do. Since it's Android, I think the appropriate term is "renegade." How's this for a title "Renegade app allows Android users to do something Google doesn't want them to do."

I've wanted a telephone recording app for my Droid...ever since I got my Droid. I live in a one-party state, so it's no big deal to record calls when I deem it useful.

I have a funky little microphone from Olympus that fits into my ear and does a very good job of capturing my own voice and the audio from the telephone's earspeaker, but carrying that and the digital recorder that goes with it is bothersome -- let alone cabling it all up to use it.

Not to disagree with your point but...why do you want apps running "in a chroot jail" when none of the apps on the whole phone, even mission critical apps like the dialer, already run as an unprivileged user?

I think you're confusing root with having write permissions to the SD card or something here. Without manually rooting the phone itself, NOTHING ON THE WHOLE DEVICE runs as root. Placing every app in a jail is just going to add a small amount of additional memory overhead for every process.

Check out the excellent Droidwall [appbrain.com] app. It requires root of course to run iptables, but shouldn't we all have root on our phones?

To the GP, I agree android should support finer grained permissions (and each version of the OS has more perms) in addition to selecting which permissions the user wants to grant the app! (Not just "OK" to allow all the permissions the app asks for, but the user could pick and choose which perms to give it; obviously not granting some perms would cripple some apps..) Without that a

Oh, I agree that's a problem -- which is why I would love the ability for the user to decide which permissions to grant. The app requests them, and the user grants/denies them on a fine-grained basis.

However, Angry Birds on Android (all 3 versions) do not request access to the contact list. At least the ones I downloaded from the market. They all want internet access though, and the standard version wants GPS location.

Why do you need a chroot, if you can just set permissions such that the app can only see what it needs to see?

And Android does that already. System partition is by and large off-limits. Each app gets its own directory with full access to itself and no-one else, which is the default storage location. SD card (or whatever is mounted to/sdcard - on phones like Nexus S, it's just a separate partition) is shared between all.

Why do you need a chroot, if you can just set permissions such that the app can only see what it needs to see?

And Android does that already. System partition is by and large off-limits. Each app gets its own directory with full access to itself and no-one else, which is the default storage location. SD card (or whatever is mounted to/sdcard - on phones like Nexus S, it's just a separate partition) is shared between all.

Some applications will not run if they can't have access to the filesystem. I would still like to run these applications. The Chroot jail would allow you to present a fake filesystem to the application that it can change however it wants without breaking anything else. The same thing can be extended to other areas. App refuses to run without seeing your contacts? Here, have a fake address book.

You have to install it from an untrusted source. If you go to an android phone Application->Settings and manually enable "Allow the installation of apps from untrusted sources" Then add the untrusted source that hosts malware then you will be able to install it. In other words you have to go out of your way to get infected. You know... leave the garden of Google Marketplace. Most people that choose to exercise that choice (Which Dear Leader Steve does not allow on your iPhone) will know to be caref

The linked article (and the blog post that it links to) doesn't say what makes the app a trojan as opposed to functionality the user may have actually been intending to install. What was the app pretending to be? Scaremongering, or just a poorly written blog post?

This thing tricks users into installing it by mimicking a legitimate installation screen, records conversations, and contains configuration information for a remote server which suggests uploading of those conversations, and you think it's "scaremongering" to label it a trojan? Give me a break.

A piece of software tricks the user into installing it, secretly records phone conversations, and sends them to a remote server, and you're wondering why it's considered a trojan? A trojan is any piece of malicious software that tricks the user into installing it through social engineering.

Android has strict permissions enforcement for every application. It's even built into the marketplace! You cannot install an application without first being told WHAT the application wants access to. If the application wants to record your phone calls, the installer will specifically tell you the application is requesting access to your microphone. The installer forces you to scroll down to hit next, and there is literally NO WAY you can miss reading it. If you install applications from an untrusted source, Android will specifically WARN YOU that you could be installing something dangerous.
The above article is nothing but FUD. If you read the source article, it says you have to install from an untrusted source, go through the warnings, and still go through the installation process.

So in other words: Android is secure because every human being should be perfectly capable of reading dialogs, groking the details, and making use of trusted sources instead of untrusted ones. All the people who aren't reading articles, groking their details, and referring to trusted article sources are obviously spreading FUD about how Android treats the issue of security.